CVE-2024-46780 – nilfs2: protect references to superblock parameters exposed in sysfs
https://notcve.org/view.php?id=CVE-2024-46780
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect references to superblock parameters exposed in sysfs The superblock buffers of nilfs2 can not only be overwritten at runtime for modifications/repairs, but they are also regularly swapped, replaced during resizing, and even abandoned when degrading to one side due to backing device issues. So, accessing them requires mutual exclusion using the reader/writer semaphore "nilfs->ns_sem". Some sysfs attribute show methods rea... • https://git.kernel.org/stable/c/da7141fb78db915680616e15677539fc8140cf53 •
CVE-2024-46778 – drm/amd/display: Check UnboundedRequestEnabled's value
https://notcve.org/view.php?id=CVE-2024-46778
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check UnboundedRequestEnabled's value CalculateSwathAndDETConfiguration_params_st's UnboundedRequestEnabled is a pointer (i.e. dml_bool_t *UnboundedRequestEnabled), and thus if (p->UnboundedRequestEnabled) checks its address, not bool value. This fixes 1 REVERSE_INULL issue reported by Coverity. Ubuntu Security Notice 7154-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use the... • https://git.kernel.org/stable/c/4e2b49a85e7974d21364798c5d4aa8070aa864d9 •
CVE-2024-46777 – udf: Avoid excessive partition lengths
https://notcve.org/view.php?id=CVE-2024-46777
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: udf: Avoid excessive partition lengths Avoid mounting filesystems where the partition would overflow the 32-bits used for block number. Also refuse to mount filesystems where the partition length is so large we cannot safely index bits in a block bitmap. Ubuntu Security Notice 7156-1 - Chenyuan Yang discovered that the USB Gadget subsystem in the Linux kernel did not properly check for the device to be enabled before writing. A local atta... • https://git.kernel.org/stable/c/c0c23130d38e8bc28e9ef581443de9b1fc749966 •
CVE-2024-46776 – drm/amd/display: Run DC_LOG_DC after checking link->link_enc
https://notcve.org/view.php?id=CVE-2024-46776
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Run DC_LOG_DC after checking link->link_enc [WHAT] The DC_LOG_DC should be run after link->link_enc is checked, not before. This fixes 1 REVERSE_INULL issue reported by Coverity. Ubuntu Security Notice 7156-1 - Chenyuan Yang discovered that the USB Gadget subsystem in the Linux kernel did not properly check for the device to be enabled before writing. A local attacker could possibly use this to cause a denial of service.... • https://git.kernel.org/stable/c/874e3bb302f97b94ac548959ec4f925b8e7b45e2 •
CVE-2024-46775 – drm/amd/display: Validate function returns
https://notcve.org/view.php?id=CVE-2024-46775
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Validate function returns [WHAT & HOW] Function return values must be checked before data can be used in subsequent functions. This fixes 4 CHECKED_RETURN issues reported by Coverity. Ubuntu Security Notice 7156-1 - Chenyuan Yang discovered that the USB Gadget subsystem in the Linux kernel did not properly check for the device to be enabled before writing. A local attacker could possibly use this to cause a denial of ser... • https://git.kernel.org/stable/c/5639a3048c7079803256374204ad55ec52cd0b49 •
CVE-2024-46774 – powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
https://notcve.org/view.php?id=CVE-2024-46774
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks... • https://git.kernel.org/stable/c/68d8156480940b79227d58865ec5d2947b9384a8 •
CVE-2024-46773 – drm/amd/display: Check denominator pbn_div before used
https://notcve.org/view.php?id=CVE-2024-46773
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator pbn_div before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 1 DIVIDE_BY_ZERO issue reported by Coverity. Ubuntu Security Notice 7156-1 - Chenyuan Yang discovered that the USB Gadget subsystem in the Linux kernel did not properly check for the device to be enabled before writing. A local attacker could possibly use this to cause a denial of service. Several security... • https://git.kernel.org/stable/c/20e7164c52d9bfbb9d9862b833fa989624a61345 •
CVE-2024-46772 – drm/amd/display: Check denominator crb_pipes before used
https://notcve.org/view.php?id=CVE-2024-46772
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator crb_pipes before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 2 DIVIDE_BY_ZERO issues reported by Coverity. Ubuntu Security Notice 7156-1 - Chenyuan Yang discovered that the USB Gadget subsystem in the Linux kernel did not properly check for the device to be enabled before writing. A local attacker could possibly use this to cause a denial of service. Several secur... • https://git.kernel.org/stable/c/ede06d23392529b039cf7ac11b5875b047900f1c •
CVE-2024-46771 – can: bcm: Remove proc entry when dev is unregistered.
https://notcve.org/view.php?id=CVE-2024-46771
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: can: bcm: Remove proc entry when dev is unregistered. syzkaller reported a warning in bcm_connect() below. [0] The repro calls connect() to vxcan1, removes vxcan1, and calls connect() with ifindex == 0. Calling connect() for a BCM socket allocates a proc entry. Then, bcm_sk(sk)->bound is set to 1 to prevent further connect(). However, removing the bound device resets bcm_sk(sk)->bound to 0 in bcm_notify(). The 2nd connect() tries to a... • https://git.kernel.org/stable/c/ffd980f976e7fd666c2e61bf8ab35107efd11828 •
CVE-2024-46762 – xen: privcmd: Fix possible access to a freed kirqfd instance
https://notcve.org/view.php?id=CVE-2024-46762
18 Sep 2024 — In the Linux kernel, the following vulnerability has been resolved: xen: privcmd: Fix possible access to a freed kirqfd instance Nothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and privcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd created and added to the irqfds_list by privcmd_irqfd_assign() may get removed by another thread executing privcmd_irqfd_deassign(), while the former is still using it after dropping the locks. This can lead to a situation where an alre... • https://git.kernel.org/stable/c/e997b357b13a7d95de31681fc54fcc34235fa527 •